This application relates to a method and apparatus for preventing attacks on computer network systems.
Concurrent with the rise in connectivity among diverse computer networks and the corresponding increase in dependence on networked information systems, there has been a dramatic increase in the need for robust security to enforce restrictions on access to and prevent intrusion on secure systems. The topology of the interconnected networks has also grown increasingly complex, and often involves open networks such as the Internet or the Extranet that expose secure systems to increased threats of attack. Consequently, no single solution has yet been proposed that addresses all current needs for intrusion detection, intrusion prevention and response. Instead, a vast assortment of security devices and techniques has evolved and has generally been implemented differently on individual systems. This has resulted in a global security patchwork, inherently susceptible to attack and to individual systems which themselves implement a hodge podge of different security devices and techniques.
Attempts to gain unauthorized access to computer networks capitalize on inherent loopholes in a network's security topology. It is known, for example, that although a secure system connected to the Internet may include firewalls and intrusion detection systems to prevent unauthorized access, weaknesses in individual security components are often sought out and successfully exploited. The rapid introduction of new technology exacerbates the problem, creating or exposing additional weaknesses that may not become known even after a breach in security has already occurred. Some currently available intrusion tools allow an intruder to evade detection by intrusion detection systems.
A fundamental weakness shared in common by current intrusion detection and response systems is their “flat” or non-hierarchical implementation. The configuration shown in FIG. 1 is an example of such a typical network implementation on a hypothetical “target network.” The network 10 includes a plurality of file servers 14, workstations 16, a network intrusion detection system (IDS) 18, a remote access server 20 and a web server 22. These devices are connected to each other over a network backbone 12, and form a local or wide-area network (LAN or WAN, respectively). Router 26 is connected directly to an open network such as the internet, 30, and is connected to the devices on the network backbone 12 through a network firewall 24.
The firewall 24 and the IDS 18 are part of the security system of network 10. Firewall 24 is configurable and serves to control access by hosts on the Internet to resources on the network. This protects network 10 from intruders outside the firewall, essentially by filtering them out. IDS 18 scans packets of information transmitted over backbone 12 and is configured to detect specific kinds of transactions that indicate that an intruder is attempting, or already has gained access to the network, 10. In this way, the IDS detects intruders inside as well as outside the firewall. Other devices on network 10 may also contribute to network security, such as remote access server 20 which permits access directly to network 10 from remote computers (not shown), for example, over a modem. Remote access server 20 must also implement some security function such as username and password verification to prevent intruders from gaining access to the network and bypassing firewall 24.
In a typical intrusion scenario on a target network connected to the internet, an intruder will first learn as much as possible about the target network from available public information. At this stage, the intruder may do a “whois” lookup, or research DNS tables or public web sites associated with the target. Then, the intruder will engage in a variety of common techniques to scan for information. The intruder may do a “ping” sweep in order to see which machines on the target network are running, run a port-map to determine the services available on the network, or they may employ various scanning utilities well known in the art such as “rcpinfo”, “showmount” or “snmpwalk” to uncover more detailed information about the target network's topology. At this stage the intruder has done no harm to the system, but a correctly configured network IDS should be able, depending on its vantage point on the network, to detect and report surveillance techniques of intruders that follow known patterns of suspicious activity. These static definitions, known as “intrusion signatures”, are effective only when the intruder takes an action or series of actions that closely follow the established definitions of suspicious activity. Consequently, if the IDS is not updated, is disabled, evaded or encounters an unknown or new method of attack, it will not respond properly. However, if steps are not taken at this point in the attack to prevent further penetration into the target network, the intruder may actually begin to invade the network, exploiting any security weaknesses (such as the IDS that may have not reacted earlier to the intruder), and securing a foothold on the network. Once entrenched, the intruder may be able to modify or disable any device belonging to the target network including any remaining IDS or firewall.
Methods used by intruders to gain unauthorized access to computer networks evolve in sophistication in lock step with advances in security technology. It is typical, however, that successful attacks on network systems often begin by attacking the security subsystems in place on the target network that are responsible for detecting common intrusion signatures, disabling those systems and destroying evidence of the intrusion.
U.S. Pat. No. 5,916,644 to Kurtzberg et al. discloses a method for testing the integrity of security subsystems wherein a specifically configured system connected directly to a target computer network will systematically test security on the network by simulating attacks on security devices in order to verify that they are operational. Specifically, the disclosed method randomly simulates an attack on the network. If the attack is detected, the security subsystems are assumed to be functioning. If not, they are considered compromised, and an attack may already be underway. This method is an improvement over passive systems that do not check themselves and therefore cannot properly report on their own status when they have been disabled.
A major shortcoming of this approach is that these security systems reside on the same networks that they seek to protect and are similarly vulnerable to attack once an intruder has gotten a foothold on the network. In other words, they are not themselves immune to the attacks of intruders. As a result each advance in the prior art is just another new security hurdle on the network to be defeated. Additionally, by only testing security from a single location, they will likely not detect a ‘filtered’ detection system, whereby only specific events are not reported. This can allow a compromised system to still function within the specified parameters. In this light, the active scanning approach disclosed in Kurtzberg is not fundamentally different from any other security measure (such as firewall) in that it is non-hierarchical and depends completely on the vigilance of a human network manager.
Therefore, there exists a need for a self-diagnosing network security system that can protect a target network from both internal and external intruders and that is resistant to attacks perpetuated on the system it has been deployed to protect. Furthermore, there is a need for an active security system that will take measured action against perceived security threats even in the absence of a human network manager.
Further, with the ability of a single IDS sensor to create hundreds of thousands of events, many companies find it impossible to effectively monitor and prioritize the constant stream of alerts. Some companies respond by reducing the sensitivity of the IDS, making for fewer alerts and less stress on their staff However, this often has an undesired effect: it diminishes the ability of an IDS to detect real threats, resulting in a high rate of false negatives. Thus, there is a need for a security system capable of sorting through multiple event messages and concentrating on the events that pose a security risk.
Government regulations and client demands are prompting more companies to conduct Internet security assessments, from comprehensive perimeter assessments to focused penetration tests. Internal scans, vulnerability assessments, server assessments and hardening are elements of a comprehensive e-security strategy. However, they do a poor job of assessing the weakest link in security, i.e., a company's connection to the Internet. Thus, there is a need in the industry for Internet-based assessment and monitoring to protect resources that interact with customers, employees and partners over the Internet.